Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

CNIT 127 Ch 3: Shellcode

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q. Instructor: Sam Bowne Class website: https://samsclass.info/127/127_S17.shtml

Related slideshows

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugs
 
1 of 38
Download to read offline
CNIT 127: Exploit Development
 
 Ch 3: Shellcode Updated 1-30-17
Topics • Protection rings • Syscalls • Shellcode • nasm Assembler • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer • Removing Nulls • Spawning a Shell
Understanding System Calls
Shellcode • Written in assembler • Translated into hexadecimal opcodes • Intended to inject into a system by exploiting a vulnerability • Typically spawns a root shell, but may do something else
System Calls (or Syscalls) • Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more • They are the interface between protected kernel mode and user mode
Protection Rings • Although the x86 provides four rings, only rings 0 and 3 are used by Windows or Unix • Ring 3 is user- land • Ring 0 is kernel- land • Links Ch 3a-3c
Protecting the Kernel • Protected kernel mode – Prevents user applications from compromising the OS • If a user mode program attempts to access kernel memory, this generates an access exception • Syscalls are the interface between user mode and kernel mode
Libc • C library wrapper • C functions that perform syscalls • Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) • See link Ch 3d
Syscalls use INT 0x80 1. Load syscall number into EAX 2. Put arguments in other registers 3. Execute INT 0x80 4. CPU switches to kernel mode 5. Syscall function executes
Syscall Number and Arguments • Syscall number is an integer in EAX • Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EPB • For more than six arguments, the first argument holds a pointer to a data structure
exit() • The libc exit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit
Disassembling exit • gdb e – disassemble main – disassemble exit – disassemble __run_exit_handlers • All that stuff is error handling, to prepare for the syscall, which is at the label _exit • disassemble _exit
Disassembling _exit • syscall 252, exit_group() (kill all threads) • syscall 1, exit() (kill calling thread) – Link Ch 3e
Writing Shellcode for the exit() Syscall
Shellcode Size • Shellcode should be a simple and compact as possible • Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily
Seven Instructions • exit_group • exit
Simplest code for exit(0)
nasm and ld • nasm creates object file • ld links it, creating an executable ELF file
objdump • Shows the contents of object files
C Code to Test Shellcode • From link Ch 3k • Textbook version explained at link Ch 3i
Compile and Run • Textbook omits the "-z execstack" option • Next, we'll use "strace" to see all system calls when this program runs • That shows a lot of complex calls, and "exit(0)" at the end
Using strace
Injectable Shellcode
Getting Rid of Nulls • We have null bytes, which will terminate a string and break the exploit
Replacing Instructions • This instruction contains nulls – mov ebx,0 • This one doesn't – xor ebx,ebx • This instruction contains nulls, because it moves 32 bits – mov eax,1 • This one doesn't, moving only 8 bits – mov al, 1
OLD NEW
objdump of New Exit Shellcode
Spawning a Shell
Beyond exit() • There's no use for exit() – any illegal instruction can make the program crash • We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands
Five Steps to Shellcode 1. Write high-level code 2. Compile and disassemble 3. Analyze the assembly 4. Clean up assembly, remove nulls 5. Extract commands and create shellcode
fork() and execve() • Two ways to create a new process in Linux • Replace a running process – Uses execve() • Copy a running process to create a new one – Uses fork() and execve()
C Program to Use execve() • See link Ch 3l
Recompile with Static • objdump of main is long, but we only care about main and __execve
main() • Pushes 3 Arguments • Calls __execve
Man Page • execve() takes three arguments
execve() Arguments 1. Pointer to a string containing the name of the program to execute – "/bin/sh" 2. Pointer to argument array – happy 3. Pointer to environment array – NULL
Objdump of __execve • Puts four parameters into edx, ecx, ebx, and eax • INT 80
CNIT 127 Ch 3: Shellcode

More Related Content

What's hot

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
Sam Bowne
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugs
Sam Bowne
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)
Sam Bowne
 
CNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsCNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
Sam Bowne
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
Sam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler
CNIT 127 Lecture 7: Intro to 64-Bit AssemblerCNIT 127 Lecture 7: Intro to 64-Bit Assembler
CNIT 127 Lecture 7: Intro to 64-Bit Assembler
Sam Bowne
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA ProCNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
Sam Bowne
 

What's hot (20)

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugs
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)
 
CNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsCNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugs
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugs
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler
CNIT 127 Lecture 7: Intro to 64-Bit AssemblerCNIT 127 Lecture 7: Intro to 64-Bit Assembler
CNIT 127 Lecture 7: Intro to 64-Bit Assembler
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA ProCNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
 

Viewers also liked

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
Sam Bowne
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
sbha0909
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report Writing
Sam Bowne
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
Sam Bowne
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
Sam Bowne
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security Professionals
Sam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
Sam Bowne
 
Storm Worm - Malware 2.0
Storm Worm - Malware 2.0Storm Worm - Malware 2.0
Storm Worm - Malware 2.0
Kurt Baumgartner
 
Manual Unpacking + By Re.M J Nop790
Manual Unpacking + By Re.M J Nop790Manual Unpacking + By Re.M J Nop790
Manual Unpacking + By Re.M J Nop790
guest747ad9d
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 

Viewers also liked (20)

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report Writing
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security Professionals
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
 
Storm Worm - Malware 2.0
Storm Worm - Malware 2.0Storm Worm - Malware 2.0
Storm Worm - Malware 2.0
 
Manual Unpacking + By Re.M J Nop790
Manual Unpacking + By Re.M J Nop790Manual Unpacking + By Re.M J Nop790
Manual Unpacking + By Re.M J Nop790
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 

Similar to CNIT 127 Ch 3: Shellcode

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks
dhorvath
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ihor Banadiga
 
Brief Introduction to Parallella
Brief Introduction to ParallellaBrief Introduction to Parallella
Brief Introduction to Parallella
Somnath Mazumdar
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 
Jvm memory model
Jvm memory modelJvm memory model
Jvm memory model
Yoav Avrahami
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
abinaya m
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks
David Horvath
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Eusecwest
EusecwestEusecwest
Eusecwest
zynamics GmbH
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
UTD Computer Security Group
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Liang Chen
 
Elixir
ElixirElixir
Elixir
Fuat Buğra AYDIN
 
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGEFLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
Justin George
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
Positive Hack Days
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
 

Similar to CNIT 127 Ch 3: Shellcode (20)

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
 
Brief Introduction to Parallella
Brief Introduction to ParallellaBrief Introduction to Parallella
Brief Introduction to Parallella
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
Jvm memory model
Jvm memory modelJvm memory model
Jvm memory model
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
 
Elixir
ElixirElixir
Elixir
 
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGEFLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
FLESCH INDEX AND SYS AND OS MODULE IN PYTHON PROGRAMMING LANGUAGE
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 

More from Sam Bowne

Cyberwar
CyberwarCyberwar
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
10 RSA10 RSA
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Personality Development , Dr. SAROJ KUMAR DATTA
Personality Development , Dr. SAROJ KUMAR DATTAPersonality Development , Dr. SAROJ KUMAR DATTA
Personality Development , Dr. SAROJ KUMAR DATTA
CallplanetsDeveloper
 
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
ABELARDOBALDOVEAZUEL
 
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
mariateresabadilla2
 
english 9 Quarter 1 Week 1 Modals and its Uses
english 9 Quarter 1 Week 1 Modals and its Usesenglish 9 Quarter 1 Week 1 Modals and its Uses
english 9 Quarter 1 Week 1 Modals and its Uses
EjNoveno
 
Bipolar Junction Transistors and operation .pptx
Bipolar Junction Transistors and operation .pptxBipolar Junction Transistors and operation .pptx
Bipolar Junction Transistors and operation .pptx
nitugatkal
 
Plato and Aristotle's Views on Poetry by V.Jesinthal Mary
Plato and Aristotle's Views on Poetry by V.Jesinthal MaryPlato and Aristotle's Views on Poetry by V.Jesinthal Mary
Plato and Aristotle's Views on Poetry by V.Jesinthal Mary
jessintv
 
Class-Orientation for school year 2024 - 2025
Class-Orientation for school year 2024 - 2025Class-Orientation for school year 2024 - 2025
Class-Orientation for school year 2024 - 2025
KIPAIZAGABAWA1
 
How to Set Start Category in Odoo 17 POS
How to Set Start Category in Odoo 17 POSHow to Set Start Category in Odoo 17 POS
How to Set Start Category in Odoo 17 POS
Celine George
 
Types of Diode and its working principle.pptx
Types of Diode and its working principle.pptxTypes of Diode and its working principle.pptx
Types of Diode and its working principle.pptx
nitugatkal
 
Email Marketing in Odoo 17 - Odoo 17 Slides
Email Marketing in Odoo 17 - Odoo 17 SlidesEmail Marketing in Odoo 17 - Odoo 17 Slides
Email Marketing in Odoo 17 - Odoo 17 Slides
Celine George
 
SD_Instructional-Design-Frameworkzz.pptx
SD_Instructional-Design-Frameworkzz.pptxSD_Instructional-Design-Frameworkzz.pptx
SD_Instructional-Design-Frameworkzz.pptx
MarkKennethBellen1
 
Replacing the Whole Capitalist Stack.pdf
Replacing the Whole Capitalist Stack.pdfReplacing the Whole Capitalist Stack.pdf
Replacing the Whole Capitalist Stack.pdf
StefanMz
 
great athletes ppt bahasa inggris kelas x kurikulum merdeka
great athletes ppt bahasa inggris kelas x kurikulum merdekagreat athletes ppt bahasa inggris kelas x kurikulum merdeka
great athletes ppt bahasa inggris kelas x kurikulum merdeka
MonicaWijaya13
 
Module 5 Bone, Joints & Muscle Injuries.ppt
Module 5 Bone, Joints & Muscle Injuries.pptModule 5 Bone, Joints & Muscle Injuries.ppt
Module 5 Bone, Joints & Muscle Injuries.ppt
KIPAIZAGABAWA1
 
PPT Jessica powerpoint physical geography
PPT Jessica powerpoint physical geographyPPT Jessica powerpoint physical geography
PPT Jessica powerpoint physical geography
np2fjc9csm
 
Brigada eskwela 2024 sample template NARRATIVE REPORT.docx
Brigada eskwela 2024 sample template NARRATIVE REPORT.docxBrigada eskwela 2024 sample template NARRATIVE REPORT.docx
Brigada eskwela 2024 sample template NARRATIVE REPORT.docx
BerlynFamilaran1
 
Introduction to Literary Criticism 10 (1).pptx
Introduction to Literary Criticism 10 (1).pptxIntroduction to Literary Criticism 10 (1).pptx
Introduction to Literary Criticism 10 (1).pptx
jessintv
 
How to Add Collaborators to a Project in Odoo 17
How to Add Collaborators to a Project in Odoo 17How to Add Collaborators to a Project in Odoo 17
How to Add Collaborators to a Project in Odoo 17
Celine George
 
Java Developer Roadmap PDF By ScholarHat
Java Developer Roadmap PDF By ScholarHatJava Developer Roadmap PDF By ScholarHat
Java Developer Roadmap PDF By ScholarHat
Scholarhat
 
SD_Creating Excellent and Powerful Learning Facilitation.pptx
SD_Creating Excellent and Powerful Learning Facilitation.pptxSD_Creating Excellent and Powerful Learning Facilitation.pptx
SD_Creating Excellent and Powerful Learning Facilitation.pptx
jennifersayong3
 

Recently uploaded (20)

Personality Development , Dr. SAROJ KUMAR DATTA
Personality Development , Dr. SAROJ KUMAR DATTAPersonality Development , Dr. SAROJ KUMAR DATTA
Personality Development , Dr. SAROJ KUMAR DATTA
 
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
sdintegrating21stcenturyskillsinclassroom-basedassessment-240715032004-e59ed7...
 
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
DO5s2024-Orientation-Material.pptx. This is a presentation of DepEd Order No....
 
english 9 Quarter 1 Week 1 Modals and its Uses
english 9 Quarter 1 Week 1 Modals and its Usesenglish 9 Quarter 1 Week 1 Modals and its Uses
english 9 Quarter 1 Week 1 Modals and its Uses
 
Bipolar Junction Transistors and operation .pptx
Bipolar Junction Transistors and operation .pptxBipolar Junction Transistors and operation .pptx
Bipolar Junction Transistors and operation .pptx
 
Plato and Aristotle's Views on Poetry by V.Jesinthal Mary
Plato and Aristotle's Views on Poetry by V.Jesinthal MaryPlato and Aristotle's Views on Poetry by V.Jesinthal Mary
Plato and Aristotle's Views on Poetry by V.Jesinthal Mary
 
Class-Orientation for school year 2024 - 2025
Class-Orientation for school year 2024 - 2025Class-Orientation for school year 2024 - 2025
Class-Orientation for school year 2024 - 2025
 
How to Set Start Category in Odoo 17 POS
How to Set Start Category in Odoo 17 POSHow to Set Start Category in Odoo 17 POS
How to Set Start Category in Odoo 17 POS
 
Types of Diode and its working principle.pptx
Types of Diode and its working principle.pptxTypes of Diode and its working principle.pptx
Types of Diode and its working principle.pptx
 
Email Marketing in Odoo 17 - Odoo 17 Slides
Email Marketing in Odoo 17 - Odoo 17 SlidesEmail Marketing in Odoo 17 - Odoo 17 Slides
Email Marketing in Odoo 17 - Odoo 17 Slides
 
SD_Instructional-Design-Frameworkzz.pptx
SD_Instructional-Design-Frameworkzz.pptxSD_Instructional-Design-Frameworkzz.pptx
SD_Instructional-Design-Frameworkzz.pptx
 
Replacing the Whole Capitalist Stack.pdf
Replacing the Whole Capitalist Stack.pdfReplacing the Whole Capitalist Stack.pdf
Replacing the Whole Capitalist Stack.pdf
 
great athletes ppt bahasa inggris kelas x kurikulum merdeka
great athletes ppt bahasa inggris kelas x kurikulum merdekagreat athletes ppt bahasa inggris kelas x kurikulum merdeka
great athletes ppt bahasa inggris kelas x kurikulum merdeka
 
Module 5 Bone, Joints & Muscle Injuries.ppt
Module 5 Bone, Joints & Muscle Injuries.pptModule 5 Bone, Joints & Muscle Injuries.ppt
Module 5 Bone, Joints & Muscle Injuries.ppt
 
PPT Jessica powerpoint physical geography
PPT Jessica powerpoint physical geographyPPT Jessica powerpoint physical geography
PPT Jessica powerpoint physical geography
 
Brigada eskwela 2024 sample template NARRATIVE REPORT.docx
Brigada eskwela 2024 sample template NARRATIVE REPORT.docxBrigada eskwela 2024 sample template NARRATIVE REPORT.docx
Brigada eskwela 2024 sample template NARRATIVE REPORT.docx
 
Introduction to Literary Criticism 10 (1).pptx
Introduction to Literary Criticism 10 (1).pptxIntroduction to Literary Criticism 10 (1).pptx
Introduction to Literary Criticism 10 (1).pptx
 
How to Add Collaborators to a Project in Odoo 17
How to Add Collaborators to a Project in Odoo 17How to Add Collaborators to a Project in Odoo 17
How to Add Collaborators to a Project in Odoo 17
 
Java Developer Roadmap PDF By ScholarHat
Java Developer Roadmap PDF By ScholarHatJava Developer Roadmap PDF By ScholarHat
Java Developer Roadmap PDF By ScholarHat
 
SD_Creating Excellent and Powerful Learning Facilitation.pptx
SD_Creating Excellent and Powerful Learning Facilitation.pptxSD_Creating Excellent and Powerful Learning Facilitation.pptx
SD_Creating Excellent and Powerful Learning Facilitation.pptx
 

CNIT 127 Ch 3: Shellcode

  • 1. CNIT 127: Exploit Development
 
 Ch 3: Shellcode Updated 1-30-17
  • 2. Topics • Protection rings • Syscalls • Shellcode • nasm Assembler • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer • Removing Nulls • Spawning a Shell
  • 4. Shellcode • Written in assembler • Translated into hexadecimal opcodes • Intended to inject into a system by exploiting a vulnerability • Typically spawns a root shell, but may do something else
  • 5. System Calls (or Syscalls) • Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more • They are the interface between protected kernel mode and user mode
  • 6. Protection Rings • Although the x86 provides four rings, only rings 0 and 3 are used by Windows or Unix • Ring 3 is user- land • Ring 0 is kernel- land • Links Ch 3a-3c
  • 7. Protecting the Kernel • Protected kernel mode – Prevents user applications from compromising the OS • If a user mode program attempts to access kernel memory, this generates an access exception • Syscalls are the interface between user mode and kernel mode
  • 8. Libc • C library wrapper • C functions that perform syscalls • Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) • See link Ch 3d
  • 9. Syscalls use INT 0x80 1. Load syscall number into EAX 2. Put arguments in other registers 3. Execute INT 0x80 4. CPU switches to kernel mode 5. Syscall function executes
  • 10. Syscall Number and Arguments • Syscall number is an integer in EAX • Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EPB • For more than six arguments, the first argument holds a pointer to a data structure
  • 11. exit() • The libc exit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit
  • 12. Disassembling exit • gdb e – disassemble main – disassemble exit – disassemble __run_exit_handlers • All that stuff is error handling, to prepare for the syscall, which is at the label _exit • disassemble _exit
  • 13. Disassembling _exit • syscall 252, exit_group() (kill all threads) • syscall 1, exit() (kill calling thread) – Link Ch 3e
  • 14. Writing Shellcode for the exit() Syscall
  • 15. Shellcode Size • Shellcode should be a simple and compact as possible • Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily
  • 17. Simplest code for exit(0)
  • 18. nasm and ld • nasm creates object file • ld links it, creating an executable ELF file
  • 19. objdump • Shows the contents of object files
  • 20. C Code to Test Shellcode • From link Ch 3k • Textbook version explained at link Ch 3i
  • 21. Compile and Run • Textbook omits the "-z execstack" option • Next, we'll use "strace" to see all system calls when this program runs • That shows a lot of complex calls, and "exit(0)" at the end
  • 24. Getting Rid of Nulls • We have null bytes, which will terminate a string and break the exploit
  • 25. Replacing Instructions • This instruction contains nulls – mov ebx,0 • This one doesn't – xor ebx,ebx • This instruction contains nulls, because it moves 32 bits – mov eax,1 • This one doesn't, moving only 8 bits – mov al, 1
  • 27. objdump of New Exit Shellcode
  • 29. Beyond exit() • There's no use for exit() – any illegal instruction can make the program crash • We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands
  • 30. Five Steps to Shellcode 1. Write high-level code 2. Compile and disassemble 3. Analyze the assembly 4. Clean up assembly, remove nulls 5. Extract commands and create shellcode
  • 31. fork() and execve() • Two ways to create a new process in Linux • Replace a running process – Uses execve() • Copy a running process to create a new one – Uses fork() and execve()
  • 32. C Program to Use execve() • See link Ch 3l
  • 33. Recompile with Static • objdump of main is long, but we only care about main and __execve
  • 34. main() • Pushes 3 Arguments • Calls __execve
  • 35. Man Page • execve() takes three arguments
  • 36. execve() Arguments 1. Pointer to a string containing the name of the program to execute – "/bin/sh" 2. Pointer to argument array – happy 3. Pointer to environment array – NULL
  • 37. Objdump of __execve • Puts four parameters into edx, ecx, ebx, and eax • INT 80